Social Networking as a Spam Vector

I use a few of the more popular social networking tools on the web these days to connect with friends, colleagues, and interesting people.  This week I had an experience that, while harmless to me, made me consider some of the risks of social networking to an organisation and their possibly less savvy end users.

The experience started with a typical “friend” request sent to me by a stranger.  When I have the time I always go through these requests and check to see if any of them are worth accepting and making a new connection.  This particular request showed some immediate signs of being spam-like, but with a few minutes free I decided to explore it a little anyway.

The friend request came from a user with typical spam signals, including:

• Attractive female profile picture
• Regular posts with links to product pages but little genuine interaction evident
• A link to a main site with a domain name intended to draw the “get rich quick, easy money secrets” internet user

Following a few links I was presented with the typical “internet marketing” sales page, complete with big promises, glowing testimonials, vague references to “secrets” and “proven systems”, and a massively over-priced product with a limited time offer of a dramatic discount if you buy right now!

So what does this have to do with protecting businesses from spam?  Two things.

Firstly, spam sent via a social network is not something an organisation can combat with a security product in their network.  It can only be approached in one of two ways – either block the social networking sites completely (an unpopular approach among staff) or trust your staff to use them in moderation and apply common sense to spam-like activity on them.

Secondly, spammers (or internet marketers as many of them prefer to be called) know that one of the best ways to get a new prospect on the hook is to give them something for free.  In the case of the sales page I was visiting I could see just such an offer on display.  To get the first part of their “revealing” product for free all I had to do was provide my own email address and the email address of two other people.

As I recently wrote here, one of the ways spammers get their hands on email addresses is with free online giveaways.  This spammer has taken it one step further and wants you to give them two more email addresses as well.  It is a canny move because most people will give up something of perceived low value (an email address) for something of perceived high value (something normally sold at a premium price but offered as a free sample).

Put yourself in the end user’s shoes for a moment.  Times are tough for everyone, and this website is offering you a free peek at the secrets to making money online.  You want it now, not later, so you’re going to give them your work email address instead of your home email address.  You need to think of two other email addresses quickly to get the free product, so you type in the email addresses of your two closest colleagues.

Now you’ve given the spammer three valid email addresses to target with a range of scam offers.  You’ve also told them a little something about yourself – that you’re interested in making some money online and you’re looking for quick and easy ways of doing it.  This means they can send you a more focused set of spam emails to play on this particular desire of yours.

As I played out this scenario in my mind I started thinking about how I could protect a business from this kind of risk.  As mentioned earlier blocking social networking sites entirely is not going to be popular among staff and also cuts of some legitimate communication tools that can benefit a business.  End user education is effective only to a degree and you have to assume that eventually someone will let their guard down.

In the end really all you can do is ensure that once your organisation’s email addresses are exposed in some way that you are protecting them from the inevitable spam that follows with a reliable email anti-spam and anti-virus protection system.